3 Small to Medium Sized Network Security Solution part 3

Web Application Firewalls

WAF operates at the application layer where it monitors web traffic using SSL decryption. It blocks identified threats after reassembling web sessions. WAF works within sessions.

Intrusion Prevention Systems

IPS applies a predefined policy or signature set across all traffic. It inspects packets for policy or signature violations to find and shut down any identified threats.

There are fundamental differences between these IPS and WAF. IPS discards packets for better performance. WAF must retain packets for context. They both use baselining in different ways. IPS for statistical deviations in throughput and traffic flows. WAF uses baselining at the application layer. IPS is packet smart while WAF is application smart. WAF will protect against application level vulnerabilities where IPS cannot. IPS provides protection at a lower level before patches for known vulnerabilities are provided. WAF should not be used as a replacement for a traditional network firewall. These solutions complement each other along with a traditional firewall.

When considering IPS do we choose Stateful Packet Inspection (SPI) or Deep Packet Inspection (DPI)? It’s about security vs speed. SPI examines the basic information in a packet, the header, the footer, whether or not it belongs to a valid session.

DPI as the name suggests takes a much deeper look but also takes a much greater performance hit. DPI makes use of greater security capabilities including stealth payload detection and signature matching.

Once again we find that a combination of both can bring about the best of both worlds. In this scenario SPI stops malformed packets at the edge and DPI handles the rest.

Other considerations include using secure passwords changed at frequent intervals, Encryption is effective but could be risky a user fails to remember the decryption key.

These are all important layers of any network security solution. Another layer would include managed scanning of any web applications being used, for security flaws, poor coding practices, and weak configuration management. Penetration testing is another way to verify the security of your network.

With all these layers you can see that you could quickly be overwhelmed by administration of the various solutions being applied. Thus emerged the Unified Threat Management appliance. Next we discuss the advantages and disadvantages of the UTM.